Flags outside European Parliament building showing the forthcoming changes to the privacy legislation in Europe
Looking Ahead: What Now for Europe and Its Data Handling and Privacy Landscape? by Barry Cook, Group Data Protection Officer at VFS Global

Looking Ahead: What Now for Europe and Its Data Handling and Privacy Landscape?

The last couple of years have been huge for data. Exposes and leaks on social media and online organisations have stirred public interest in data ownership and matters of privacy, and a new legislation, in the form of European Union’s (EU) General Data Protection Regulation (the GDPR), has made the impacts of data handling and retention clearer, now more than ever before.

GDPR has been game-changing and puts the continent at the front of the pack from a regulatory point of view. It means businesses in the EU-27 are adhering to the highest global benchmark for data handling and security, and that upwards revisions in legislation, when and where they occur, shouldn’t be overly burdensome.

For all businesses, though, there are still things to look out for. We need only look at the recently drafted CNIL and ICO cookie guidelines, in France and the UK, which will regulate meta-data and cookies; the post-Brexit arrangements in Britain, which will, almost inevitably, bring some revision to existing legislation; and, of course, the sister legislation to the GDPR, the e-Privacy Regulation (ePR), which are expected to come into force across Europe in 2020.

The former is particularly noteworthy. For the CNIL and ICO guidelines effectively pre-empt the roll out of the ePR, and, in turn, specify a series of practical techniques, for businesses, for obtaining valid cookie consent from web visitors. The main novelties of the CNIL guidelines, which were adopted by the French DPA in July – and carried in a slightly different format by the UK’s Information Commissioner’s Office (ICO) in their published ‘Guidance’ in August – are twofold, and will mean that scrolling down or swiping through a website or application will no longer constitute an expression of consent, while, also, compelling organisations who operate tracking devices to demonstrate that they have obtained a visitor’s consent to collect their data.

There’s also the future status of UK to consider, as it continues to plot its exit from the EU. For businesses, the uncertainty regarding the country’s landing zone has persisted now for three and a half years, and, even with the new exit date pencilled in for the end of January 2020, there’s every possibility this could be pushed again.

Still, preparations for the UK’s exit should be factored in and be multi-faceted in nature. The most likely destination, it would seem, is that the UK would pivot to being recognised as an “adequate third country” by the EU on its exit. This means, in short, that its regulatory framework complies with Article 45 of the GDPR.

However, if this fails to manifest – which is conceivable in the event of a “no deal” scenario – UK and EU operators could be required to fall back on:

  • Model contractual clauses, which approved by the European Commission or the relevant Supervisory Authority, and which were the default prior to the GDPR;
  • Ad-hoc contractual clauses, which are approved solely by national authorities;
  • And binding corporate rules (BCRs), which permit data transfers to/from the UK, when dealing with transfers between an organization within a corporate group.

Such an eventually will be in the minds of many legal and privacy teams, already, as will the possible implications for their data centres. This, latter issue, heralds from the fact that, as per Article 4(16) of the GDPR, EU businesses are required to have a “main establishment” in the bloc’s jurisdiction. This “establishment” is a base that makes “decisions on the purposes and means of the processing of personal data are taken” and “that yields the power to implement decisions”.

In order to comply with this requirement, it may be necessary for businesses in the UK to consider changing the site of their main establishment. This, ultimately, will depend on the organisation’s primary market – for example, if their revenue and businesses is overwhelming concentrated to the EU-27, and not just domestic or more broadly international, it could be financially prudent to re-site their main establishment.

The ePR, as mentioned already, is also on the horizon. This set of rules, for member states of the EU, will provide coverage over electronic communications, such as emails, faxes, texts and phone calls; the use of cookies; the security of public electronic communications services; and the privacy needs of end users. Like the CNIL and ICO guidelines, which have been published already and are expected to be introduced in the first quarter of 2020, the ePR will particularise the rules of the GDPR to give the end-user (i.e. the consumer) the right to control the processing of information generated for communications purposes, such as online tracking and data collation.

Drafted CNIL and ICO cookie guidelines in France and the U.K. will regulate businesses in obtaining valid cookie consent from web visitors. #privacy #respectdataClick to Tweet

So, there’s no let-up. Whether it’s potential revisions to the GDPR; new regulations, in the form of the ePR; the roll out of reworked national guidelines, in play, already, in France and the UK; or, of course, the challenges posed by the UK’s exit from the EU, businesses of all sizes will need to be on watch, and ready, for change.